Spear Phishing In Financial Services: A New, More Covert Style of Attack

Spear Phishing In Financial Services: A New, More Covert Style of Attack

The term phishing is well known in most security-conscious businesses and users have generally become more discerning of clumsily-formatted mails notifying them that the Amazon order they didn’t place is awaiting collection. What they might not question however, is a brief one-line email, seemingly from their boss or trusted colleague, asking them to review an attached document or link.

Spear phishing is the cybercriminal’s answer to our growing caution. It is more sophisticated and targeted in its nature. In keeping with the metaphor, if phishing is casting a line and seeing what bites, spear phishing is putting all your effort into catching that one prize fish. Generally, the approach involves an attacker researching a target on a public platform (LinkedIn, company website etc.) and gleaning any available information on their role, business function and position within the company. One common approach is to select a victim and pose as an authoritative or trusted colleague, sometimes ‘spoofing’ their account or mimicking their email address with a similarly named domain (i.e [at] options-it.com might become [at] optiions-it.com). From this point, they might be blatant enough to immediately request a transfer of funds to an offshore account somewhere, but typically there is a longer and more complex strategy in play.

According to enterprise security experts Trend Micro, spear phishing is the cyber criminal’s preferred attack vector for initiating advanced persistent threats – a class of network attack which focuses on a well-planned and well-executed breach over a prolonged duration where the key objective is data theft. This 2014 phishing and spam report also offers some fascinating insights. Such attacks are not ‘snatch-and-grab’ robberies of a liquor store; they are a more coordinated and methodical Ocean’s Eleven-style heist.

While spear-phishing itself often stays out of the mainstream news, its fallout does not. The 2011 RSA security breach began with a spear phishing email sent to a number of handpicked individuals. The payload delivered was malware posing as an RSA 2011 recruitment plan spreadsheet which in turn, gave the attackers a backdoor into RSA’s network. The December 2013 Target breach, which affected an estimated 70 million customers, was also initiated with a spear phishing mail sent to a HVAC vendor of Targets that had access to Target’s network.

So what are Options doing about spear phishing?

In the last 3 months, Options has partnered with a leading cybersecurity solutions provider to augment our increasingly security-aware platform. Among other related initiatives, we have successfully replaced our platform mail gateways allowing us more and more features to assist us in policing the mail entering (and exiting) our network. One of the many features involves a more robust means of analyzing file attachments and embedded links within email.

With the formation of Options’ dedicated security team at the start of this year, we became more proactive in optimizing our platform security posture. For example, a recent review of incoming mail by top-level domain showed certain domains were being used almost exclusively for spam (.xyz, .link, .porn, etc). With stricter controls at this high level, it reduces the amount of malicious mail entering the platform.

At Options, we recognize that technology is only a part of a security initiative – awareness is another important tool. We’ve been working with our clients to encourage security awareness throughout their own user base. One tool we’ve suggested to clients is PhishMe. PhishMe allows administrators to send innocuous and specifically tailored pseudo-phishing mails to their user base. The tool then provides full visibility into who opens it, who responds to it and who forwards it. From the deployments I’ve been involved with, this type of initiative has been very well received in both investor due diligence and regulatory cybersecurity questionnaires.

What can your firm do about this?

One advantage you have over the attacker is your familiarity of your colleagues’ mannerisms. Does your boss stick to informal one-liners? Is there a colleague that consistently writes ‘thx’ instead of ‘thanks’ and signs off with his initials only? Would you notice if they didn’t? Learn to take note of your colleagues’ style and mannerisms.

Ensure people in your company are prepared to question something they find suspicious. If you work in accounting and get a mail asking for an urgent transfer to an unrecognized party, take 30 seconds to pick up the phone and verify.

Remember the HVAC company that opened the backdoor for attacker into Target’s network? Do your due diligence on all third-parties you associate with regularly, especially those you let on your network.

Ensure your IT provider is dedicated to constantly improving security. Not only in terms of technology, solutions and appliances, but in procedure and awareness also.